Now released to general availability – always encrypted with secure enclaves increases confidential computing of Azure SQL. It helps to prevent sensitive data from being removed by rogue administrators, DBAs or cloud operators.
Data is encrypted and decrypted on the client-side without ever being revealed in plain text within the database system itself. The trusted execution environment is called a secure enclave. This enclave computes on plaintext, but from the outside data and code cannot be viewed.
You can see the architectural diagram and find out more here: Always Encrypted with secure enclaves now generally available in Azure SQL Database